Regulating e-commerce: lessons from India

Dan Hunter, a faculty member in the legal studies department at the Wharton School, discusses the moves being made by governments around the world to regulate e-commerce.

January 2, 20024:43 PM PST

Governments around the world are waking up to the fact that the Internet and e-commerce need to be regulated.

The Indian Parliament, for example, has just passed an Information Technology
Act, which lays the framework for e-commerce in India, while European and U.S. governments are in the process of framing their own laws to regulate the Internet.

What will such regulations mean for the prospects of e-commerce in emerging economies like India and for developed countries in the West? Dan Hunter, a faculty member in the legal studies department at the Wharton School, discusses the moves being made by governments around the world to regulate e-commerce.

Knowledge@Wharton: What is your opinion of the Indian Information Technology Act?
Hunter: India's e-commerce act is interesting because developing countries recognize it is important to provide mechanisms for innovation in electronic commerce. India has a great many issues to deal with, but it clearly sees that the act is an important way of bypassing a series of intermediate steps to an electronic commerce environment.

The other interesting thing is that it reflects the dominant political culture, like a lot of these bills do. The Indian government has taken the view that electronic commerce is something that needs to be strongly regulated so that it doesn't get out of control.

Should any government try to control a medium like the Internet? Would this not stifle e-commerce?
It's interesting to see the degree to which the Indian central government wants to control various aspects of the electronic commerce process. This is primarily seen in things like the new Central Government Regulatory Authority created to license
trusted third parties for public key encryption. It is also seen in the central tribunal for adjudication of cyberdisputes.

Clearly, the Indian law also gives fairly strong powers to the police to seize and have access to records of cybercrimes like hacking. The interesting point, as an extension from the Indian Act to other countries, is that lots of governments see e-commerce and the Internet generally as something they can control while it is still in its nascent stages.

Governments that traditionally are not seen as strongly controlling--such as the United States and United Kingdom--are also doing this. The U.S. government, for example, has made several attempts to control certain aspects of the Internet. There have been proposals that email should be able to be intercepted by appropriate government authorities.

Similarly, in the United Kingdom, the proposed Electronic Communications Bill has a section devoted to the interception of communications; it suggests that Internet service providers and other carriers should provide a mechanism through which government agencies could look at suspect communications. This has raised all sorts of concerns among libertarians and free-speech advocates in the U.K.

In England, it is not clear whether the bill will go ahead in its current form or whether the requirement for interception of communications will be removed. This has also happened in the United States in a number of instances--the cases of ACLU (American Civil Liberties Union) vs. U.S. Attorney General Janet Reno and the Federal Communications Decency Act have both been struck down by the Supreme Court. The court's argument was that in controlling content, the government would be circumscribing free speech.

In that sense, the Indian approach is no different from the approaches of a lot of other governments. It's just more obvious in the Indian act because it was pushed through without too much consultation and discussion. It remains to be seen whether anyone will challenge the Indian government's approach.

Is it enough to have legislation for e-commerce without related laws on
privacy?
One of the criticisms about bills of this sort is that they should try to be all-encompassing and react to the kinds of problems that arise out of the growth of e-commerce. For example, people think such laws should address problems of privacy and consumer protection and also regulate content like hate speech or pornography.

The trouble with trying to write all-encompassing legislation is that one runs the risk of having no legislation passed at all. What India has done is try to provide for the fundamental mechanism for electronic transactions by basically legalizing electronic transactions. Having got that in place, the country now has the opportunity to add more legislation about privacy and consumer protection.

The interesting thing about the Indian act, when compared to the proposed English legislation, is that it just doesn't provide one mechanism for making electronic transactions legal. The British bill says that existing contracts legislation would be amended in an ad hoc way as required. Compared to that, the Indian legislation is more comprehensive.

The U.S., too, has not tried to tackle every issue at once in an all-encompassing bill. There are a number of small amendment bills, which have been going through
regularly. One piece of legislation removes excise taxes on telephone calls; another proposed bill is for electronic signatures. While these are small pieces of
legislation in themselves, put together they form a cohesive whole.

The U.S. experience shows that if you try to get agreement on privacy regulation--and if all the other legislative initiatives depended upon a consensus emerging about privacy issues--nothing would happen. Privacy is a difficult issue and very hard to resolve in the situation, because there are many interest groups that have very different approaches. Since privacy as an issue is only beginning to make
waves now, making other pieces of legislation dependent on privacy would mean that nothing would get passed.

One peculiar thing India has done in terms of electronic signatures is to spell out the choice of technology. Have other countries followed the same procedure?
Many countries have taken the advice of technologists and lawyers and tried to make these things technology-neutral. What India has done is to make the legislation entirely dependent on the public key cryptography. While that is clearly the current standard, it is not clear if it will always be the standard and if it will always be the best way of dealing with electronic transactions.

So essentially what the Indian act says in large part is that transactions that are secured by public key cryptography will be satisfactory for the purpose of electronic transactions. This means that if two people have reached an electronic agreement by email, it is not entirely clear whether that would be a legally enforceable transaction, though it should be.

The question is why should the Indian bill be tied to technology, which may not be relevant to the way people may transact. A lot of other countries have sought simply to say that transactions that occur electronically, provided they fulfill all the other formalities of a real-world transaction, will not be thrown out just because the transaction is electronic. That way the transaction is technology-neutral, and you leave it to the parties to decide whether they want fully encrypted transaction systems or whether they want to use some other system.

How do governments tackle the issue of cyberjurisdiction beyond their borders?
The Indian approach is not greatly different from approaches taken by different countries. The issue is the jurisdiction that governments have for transactions that happen over the Internet.

The Indian approach is to say that there are certain nexus points or connections that are sufficient to permit jurisdiction. That's the approach of a number of nation-states. Lots of countries say that they will impose jurisdiction based on a number of criteria, such as whether the person is making the transaction in that country or whether the country is connected to the transaction.

The debate is particularly fierce concerning taxation of e-commerce, since many
countries would love to tax transactions passing through their borders even though the parties to the transaction may not be based in that country. So India's position is not consistent with that of other nation-states.

A lot of problematic questions do arise, though. Should any bit of information that passes through a country be subject to its laws? Can countries tax information and transactions passing through a country's networks even though they may be mere stopping points in the global network? How should governments regulate companies that are incorporated offshore?

Take the case of the Internet gambling site World Sports Exchange. It is based in Antigua, where gambling is legal. The state of New York argues, however, that since a lot of the people using the site are based in New York, the Web site violates its laws, which prohibit Internet gambling. The state of New York brought the owners of the World Sports Exchange to court in New York.

So there are a huge number of issues about jurisdiction. Most countries at this stage have a very clearly defined law about how this is going to work.

One of the concerns that may arise is that these jurisdiction problems will force investment offshore. If companies think there are jurisdictional problems in one country's Internet space, it is easy enough to set up companies offshore wherever there is a better regulatory policy. It is unclear how this all may play out.

Having left the Internet to be self-regulated or unregulated, are countries coming around to the view that some kind of legislation is necessary?
Definitely. In the last two to three years, there has been a fundamental shift in the approach of governments about the Internet. In the past, Net entrepreneurs strongly favored self-regulation. This approach worked in the early stages of the Internet,
but only before e-commerce became a big issue.

Christmas 1999, for example, saw a significant critical mass of people in the U.S. shopping on the Net. The U.S. government realized that it had to have a tax regime for the Net just as it does for real-world commerce. Last Christmas, the issue was not so much about taxation but consumer protection, because lots of Web sites didn't provide the products that had been ordered or provide secure transactions.

This gave rise to the argument that consumer protection should be built into e-commerce in the U.S. Lately we've seen concerns about the private data that is provided to Web sites by consumers and how these Web sites use this data.

Governments till recently have been relatively unsure how to regulate these activities, but lately they have realized that these are transactions in a commercial
environment like any other, and regulation is inevitable. The debate is about how to do it.